Downgrading to Firefox 15 tonight is not a bad idea, Mozilla says.

One day after the release of Firefox 16, Mozilla said it has "temporarily removed" the latest version of its browser because of a security flaw that the company is trying to fix as quickly as possible. The unusual precaution suggests the flaw is a serious one, but there are no reports of it being exploited.

"The vulnerability could allow a malicious site to potentially determine which websites users have visited and have access to the URL or URL parameters," Mozilla Director of Security Assurance Michael Coates wrote. "At this time we have no indication that this vulnerability is currently being exploited in the wild."

Mozilla plans to ship updates tomorrow. But "as a precaution," Mozilla said users may consider downgrading to version 15.0.1, and pointed them to the 15.0.1 download page. "Alternatively, users can wait until our patches are issued and automatically applied to address the vulnerability," Mozilla wrote. Firefox 15 is not affected by the vulnerability.

While the primary Mozilla download site now shows Firefox 15.0.1, Firefox 16 can still be downloaded as of this writing from a separate Mozilla page that lists all the language-specific versions of the browser. (UPDATE: That site was downgraded to Firefox 15.0.1 at some point since this article was posted.) Firefox 16 itself fixed 14 vulnerabilities in version 15, including 11 that could allow attackers to install software without any user interaction beyond normal browsing.

Although a privacy concern, urls and their params are not really supposed to contain sensitive info. nice to see how quickly they reacted though.

We had a page break on one of our developers machines who had installed 16 early in the day. When no one else had the problem we checked the version and everyone was still on 15.0.1 and it wasn't offering the update anymore. Thought that was strange, now I know why.

Considering that there have been bugs like this in software that takes 1 year to release an update..... what is your damned point?

How short are people's memories?

1 year per *major* update. Firefox still received updates every short while. And with that said, the rapid release cycle didn't change much. All it did was make Firefox's version numbers increase a crapton more than it should.

If I keep version 16, are they going to make available for us a small update just to fix the issue?

I'd say that's pretty much a given. There's no possibility of them NOT making a small update to fix the issue. It will simply (also) be the rereleased, vulnerability-removed version everyone will get soon.

Prior to the rapid release cycle, updates went through considerably more testing, reducing the likelihood of bugs like this getting through.

… but dramatically increasing the time users were affected by all bugs. Would you want to wait a year for everything else to be improved on the hope - likely unrealistic - that all bugs will be caught by more time in small-scale testing? If that strategy worked, we'd be raving about how bug-free Internet Explorer is.

Prior to the rapid release cycle, updates went through considerably more testing, reducing the likelihood of bugs like this getting through.

… but dramatically increasing the time users were affected by all bugs. Would you want to wait a year for everything else to be improved on the hope - likely unrealistic - that all bugs will be caught by more time in small-scale testing? If that strategy worked, we'd be raving about how bug-free Internet Explorer is.

They still had regular security updates even though no major version was released. Security updates didn't bring new functionality, just patch for bugs, they were (and still are) the third digit in the version number (like the current 15.0.1 means one security update was made for version 15).

I too preferred the slow version number release, why do they really want to catch up version numbers with Chrome? I never took with Chrome exactly because of this habit of version numbers... I'm still on Firefox because I can't find a browser that like other than this one that keep version numbers to a normal rate!

Does anyone really use Firefox anymore? Chrome and even IE9 are far superior now, FF just feels legacy and antiquated. I only use it for the advanced IDM integration but Chrome is a much better daily driver. I think that Mozilla adopting the Chrome build release method, more security bugs, more annoying idiosyncrasies, and less focus on a superior user experience will further push FF to the bottom of the pile.

I didn't read this article, just the headline. I noticed that when I checked for an update using the About screen, it found and applied the update without prompting me for permission to apply said update--something different in my previous experience.

Does anyone really use Firefox anymore? Chrome and even IE9 are far superior now, FF just feels legacy and antiquated. I only use it for the advanced IDM integration but Chrome is a much better daily driver. I think that Mozilla adopting the Chrome build release method, more security bugs, more annoying idiosyncrasies, and less focus on a superior user experience will further push FF to the bottom of the pile.

cheers.

I've tried Chrome a few times on my desktop system and always go back to Firefox pretty quickly. On my Android tablet (Transformer Infinity) I use about an equal mixture of Chrome and Firefox. For a web browser, I think the rapid release model makes more sense because web "standards" are constantly evolving (for good and valid reasons), rather than being a well defined standard that is fixed in stone and left static for years.

I think that it might be more accurate to describe it as a "rolling release" rather than a "rapid release", since (as others have mentioned) there were already frequent security patch releases. The main difference is just that new features are gradually rolled out as they're ready, rather than saving them up for rare "major releases". The version number is just a number. Personally I like Ubuntu's version number scheme of using the year.month of the release as the version number, but it's not something that I would ever really care much about.

While commendable by mozilla to remove it and suggest a downgrade, they need to kick it up a notch in their security QA. I can't recall the last time this happened on a browser. Usually they just patch it quickly.

While commendable by mozilla to remove it and suggest a downgrade, they need to kick it up a notch in their security QA. I can't recall the last time this happened on a browser. Usually they just patch it quickly.

Just because you didn't get to hear about it, on Ars or on the browser's website or somesuch place, doesn't mean that all the other browsers are bullet-proof. Each have their foibles, and given the fact browsers are having to to do more and more as the interwebs penetrate ever more into all aspects of our daily lives and browser code bases are running to hundreds of thousands to a few million of lines of code.

Having said that, I think Mozilla's declaration of this issue is both good (in terms of transparency of an open source operation and general keeping end-users in the know) and bad (pointedly informing casual hackers if they didn't know about this vulnerability). But I would think this is more good, and classy of them to actually downgrade on the main placeholder Firefox page and even recommend users to downgrade if they had the release pushed to their machines. At the end of the day serious, malicious hacker wouldn't wait for a press-release (they actively search for ways to exploit and even make vulnerabilities), while some conscientious but not of malicious intent hacker may have informed Mozilla of this very vulnerability.

IMHO we should whole-heartedly commend Mozilla, their QC has been pretty robust for a non-profit / open source software, remember Chrome came later and it is not as if FF 16 suddenly became IE6 - MS has got into the good act with IE10 though, I am just too dependent on the awesome addons of FF to use IE10 a regular basis.

Would have been nice if they'd blogged about it when it was removed...

I went to Mozilla today to install on another PC (installed on this one yesterday) and only v 15 was available. At which point I wondered if I imagined upgrading.

Googled for it and people were still writing about the release. Not one news article about it being pulled. Searched on the Mozilla website and clicked the news link. Nothing.

I guess that now there are details around, but it got pulled pretty silently. There should be something more visible on Mozilla.org.

I did the same thing you did, and thought I was going crazy. Although last night if you went to the Firefox all downloads page version 16 was still available there at the time, just the main download page was back to 15.0.1.

If I keep version 16, are they going to make available for us a small update just to fix the issue?

I'd say that's pretty much a given. There's no possibility of them NOT making a small update to fix the issue. It will simply (also) be the rereleased, vulnerability-removed version everyone will get soon.

Since 16(.0.0?) made it into the wild, albeit briefly, I imagine that we'll be seeing 16.0.1 next. I mean, surely they wouldn't ... oh, never mind.

Meanwhile, Thunderbird just updated itself to 16.0 on my system, while Firefox is still showing 15.0.1 as up-to-date. I have no idea if the vulnerabilities are common or if there is any concern there, just thought I'd mention it. I know that Thunderbird is of far less significance these days, drawing about zero coverage, but I do wish that Ars would at least check in on it with these "FF uprated and/or broken" articles. Remember, the FF and TB update cycles are allegedly synced now (until today, perhaps), so please consider at least a sentence. ("Oh yeah, TB too. Whatever.")

While commendable by mozilla to remove it and suggest a downgrade, they need to kick it up a notch in their security QA. I can't recall the last time this happened on a browser. Usually they just patch it quickly.

Just because you didn't get to hear about it, on Ars or on the browser's website or somesuch place, doesn't mean that all the other browsers are bullet-proof. Each have their foibles, and given the fact browsers are having to to do more and more as the interwebs penetrate ever more into all aspects of our daily lives and browser code bases are running to hundreds of thousands to a few million of lines of code.

Having said that, I think Mozilla's declaration of this issue is both good (in terms of transparency of an open source operation and general keeping end-users in the know) and bad (pointedly informing casual hackers if they didn't know about this vulnerability). But I would think this is more good, and classy of them to actually downgrade on the main placeholder Firefox page and even recommend users to downgrade if they had the release pushed to their machines. At the end of the day serious, malicious hacker wouldn't wait for a press-release (they actively search for ways to exploit and even make vulnerabilities), while some conscientious but not of malicious intent hacker may have informed Mozilla of this very vulnerability.

IMHO we should whole-heartedly commend Mozilla, their QC has been pretty robust for a non-profit / open source software, remember Chrome came later and it is not as if FF 16 suddenly became IE6 - MS has got into the good act with IE10 though, I am just too dependent on the awesome addons of FF to use IE10 a regular basis.

Except mozilla Is a corporation controlled by a nonprofit. They return the profits for the development of the software. It has no excuses given that a lot of businesses actually use it. Don't get me wrong, I am not saying they suck or anything, but they might want to hire a process engineer or two to streamline security handling and updates. Security is you know, kind of a big deal. I'd take a secure browser any day I've a flashy one, and that's what Mozilla is usually known for unless I am mistaken.